Ask the Experts

Ask the Experts

• What should CISOs include in security reports?

  Security reports are a good way for CISOs to communicate with the board of directors. Here are specific topics that should be included in the reporting.  Continue Reading

• Does analyzing motion for mobile malware detection work?

  Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an enterprise security strategy.  Continue Reading

• XSS vs. XSSI: What is cross-site script inclusion?

  Expert Michael Cobb explains the difference between cross-site scripting and cross-site scripting inclusion (XSSI) flaws.  Continue Reading

• Why did Anthem resist government vulnerability assessments?

  Vulnerability assessments are often a requirement for organizations that have suffered a data breach and the assessors' results can be invaluable to protect a business.  Continue Reading

• How should enterprises manage social media compliance incidents?

  Social media compliance incidents in financial institutions are on the rise. Here are the most common violations and how to avoid them in the future.  Continue Reading

• How can power consumption-tracking malware be avoided?

  Malware authors are using power consumption tracking-malware to eavesdrop on and attack mobile devices. Expert Nick Lewis explains the threat and how to defend against it.  Continue Reading

• Should security funds be dedicated to hiring or tools?

  Security funds can be tough to come by, so when managers get them should they focus on strengthening security through hiring or through purchasing tools?  Continue Reading

• How will the Cybersecurity Information Sharing Act affect enterprises?

  The Cybersecurity Information Sharing Act has ruffled some feathers in the security industry. What is the CISA and what is the debate around it?  Continue Reading

• Does the HHS Web portal affect data breach reporting?

  HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.  Continue Reading

• Should the Netdump flaw deter enterprise ODL SDN use?

  The benefits of the ODL SDN platform are promising, but what about the recent Netdump flaw it experienced? Expert Kevin Beaver discusses why you may not want to pass on OpenDayligh just yet.  Continue Reading

• Can a new encryption trick prevent reverse engineering?

  Expert Michael Cobb explains how reverse engineering can be made more difficult with an approach called Hardened Anti-Reverse Engineering System or HARES.  Continue Reading

• How can I mitigate the risks of alternative Android browsers?

  Expert Michael Cobb explains the security risks surrounding alternative Web browsers, as well as approaches enterprises can take to prevent BYOD employees from using them.  Continue Reading

• How should enterprises react to compromised biometric information?

  Securing biometric information is a crucial step for enterprises to take, but what happens if the data is still compromised? Expert Randall Gamby discusses biometric data security.  Continue Reading

• What VoLTE security risks should enterprises be aware of?

  Mobile devices are coming enabled for VoLTE for voice and video calling, but what are the risks? Network security expert Kevin Beaver explains.  Continue Reading

• How can CISOs promote interdepartmental cooperation?

  CISOs should take on the responsibility of encouraging interdepartmental cooperation between the security team and IT operations. Here are five ways to accomplish this lofty task.  Continue Reading

• Can thinking like cyberattackers improve organizations' security?

  Getting in the minds of cyberattackers can help organizations mount better defenses against attacks. Here are some ways to accomplish this.  Continue Reading

• What do organizations need to know about privacy in a HIPAA audit?

  A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.  Continue Reading

• Can simple photography beat biometric systems?

  Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.  Continue Reading

• What does bimodal IAM mean for user credentials?

  Bimodal IAM may be a new term, but this new way to use user credentials should probably already be in practice among secure organizations.  Continue Reading

• Can reviewing credential dumps protect identity information?

  Reviewing credential dumps could potentially save identity information from being stolen and used in a data breach. Expert Randall Gamby explains why it's worth the extra work.  Continue Reading

• Browser and device fingerprinting: Undeletable cookies of the future?

  Browser and device fingerprinting create cookies that users cannot prevent nor delete. Expert Michael Cobb explains how to address the threat.  Continue Reading

• What is the best mobile malware protection against NotCompatible.C?

  A sophisticated variant of the NotCompatible malware has emerged that is difficult to detect and defend against. Expert Nick Lewis offers tips for handling NotCompatible.C.  Continue Reading

• Should privacy professionals be legal minds or techies?

  Hiring privacy professionals for your enterprise can be a daunting task. Expert Mike O. Villegas explains the role and what qualities to look for in candidates.  Continue Reading

• BSA updates: What's new in the Bank Secrecy Act?

  The Bank Secrecy Act (BSA) updates will help firms prepare for the 2015 bank examinations. Here are some of the basics from this lengthy guidance.  Continue Reading

• How should we hire for specialized information security roles?

  A rise in specialized roles puts extra pressure on security hiring. Expert Mike O. Villegas explains how to meet this demand and find talented security professionals.  Continue Reading

• The CEO refuses cybersecurity best practices: Now what?

  Some executives don't think cybersecurity best practices apply to them. Expert Mike O. Villegas explains how to handle that situation.  Continue Reading

• How can security pros cope with a limited information security budget?

  Many security professionals have to operate within a small information security budget. Expert Mike O. Villegas reviews some tips to maximizing the budget and persuading management to increase it.  Continue Reading

• How does the Melbourne Shuffle prevent data access pattern recognition?

  Access pattern recognition in the cloud is becoming an enterprise risk. Expert Michael Cobb explains how the Melbourne Shuffle can improve access pattern security.  Continue Reading

• Do HIPAA compliance requirements change during health crises?

  Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains.  Continue Reading

• What are the secrets to SIEM deployment success?

  Many organizations deploy security information and event management systems without the proper planning and therefore can't reap the proper rewards. Expert Kevin Beaver offers tips for a successful implementation.  Continue Reading

• NAS security: How to combat network-attached storage device risks

  Network-attached storage devices can present a plethora of security issues to an enterprise. Expert Kevin Beaver explains how to detect and mitigate the risks.  Continue Reading

• How should agencies prepare for federal security scanning?

  What do agencies need to consider before going through the Department of Homeland Security's network security scanning? Expert Mike Chapple answers.  Continue Reading

• What are HIPAA's mobile app requirements that developers should know?

  There's a lot of confusion surrounding the HIPAA compliance requirements for mobile health apps. Expert Mike Chapple finally clears it up for health app vendors.  Continue Reading

• Can Vawtrak malware block enterprise security software?

  Emerging malware, like the Vawtrak banking malware, has the ability to block enterprise antimalware measures. Expert Nick Lewis explains how to mitigate the risk.  Continue Reading

• Emotet: How can traffic-sniffing banking malware be thwarted?

  A new variety of banking malware can sniff traffic from APIs. Enterprise threats expert Nick Lewis outlines how to mitigate the risk.  Continue Reading

• Which network security certification is best to pursue?

  With a number of new network security certifications available, knowing which one will best help your career can be confusing. Expert Kevin Beaver discusses the options.  Continue Reading

• What's the best way to find enterprise compliance tools?

  Looking for compliance tools? Expert Mike Chapple explains why the best place to start the search is within your own information security infrastructure.  Continue Reading

• What's the best firewall for cloud, SDN and mobile environments?

  As the enterprise grows more mobile and virtualized, finding the best firewall can be challenging. Expert Kevin Beaver advises how to find your enterprise's most effective option.  Continue Reading

• Can the PORTAL travel router improve traffic security?

  A pocket-sized travel router can reportedly keep Internet traffic secure. Is it too good to be true? Expert Kevin Beaver discusses.  Continue Reading

• How can Microsoft XML vulnerabilities be mitigated?

  A reported 43% of Microsoft XML users are running vulnerable versions of the software. Security expert Michael Cobb discusses how to mitigate the risks.  Continue Reading

• Can setting a cache-control header improve application data security?

  Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data.  Continue Reading

• Are LibreSSL and BoringSSL safe OpenSSL alternatives?

  Since the revelation of the Heartbleed flaw, OpenSSL security has been put into question. Expert Michael Cobb discusses whether LibreSSL and BoringSSL could serve as OpenSSL alternatives.  Continue Reading

• How can vishing attacks be prevented?

  Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them.  Continue Reading

• How vulnerable is Silverlight security?

  Microsoft Silverlight has been in the spotlight due to an increase in the number of exploit kits it is included in. Expert Nick Lewis explains the threat's severity and how to mitigate it.  Continue Reading

• SHA-2 algorithm: The how and why of the transition

  Is it time to make the move to the SHA-2 algorithm? Application security expert Michael Cobb discusses and offers tips to ease the transition.  Continue Reading

• Can open source cryptography libraries be trusted?

  After the Heartbleed fiasco, the future of OpenSSL and open source cryptography libraries is up in the air. Application Security Expert Michael Cobb discusses whether they can -- and should -- be trusted.  Continue Reading

• How to prevent preinstalled malware on mobile devices

  Preinstalled malware has become a major mobile security risk. Expert Nick Lewis explains how to detect malicious apps and defend against them.  Continue Reading

• The importance of an IT security governance body

  An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best structure for security governance boards.  Continue Reading

• Google's HIPAA-compliant cloud: what you need to know

  Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.  Continue Reading

• How to detect Android malware that leverages TOR

  A new variety of Android malware is using TOR for C&C communications. Expert Nick Lewis explains how to mitigate the threat.  Continue Reading

• Mobile keyloggers and touchscreen detection attacks

  A recent proof of concept shines new light on the future of mobile keyloggers. Michael Cobb reviews how to keep touchscreen devices safe from attack.  Continue Reading

• Mobile keyloggers: Defense measures against mobile keystroke logging

  Application security expert Michael Cobb explains how companies can defend themselves against the growing threat of mobile keystroke logging.  Continue Reading

• Should enterprises expect heightened risk on important dates?

  Does the date on the calendar have anything to do with the likelihood of an attack? Enterprise threats expert Nick Lewis provides his insight.  Continue Reading

• When single sign-on fails, is a second SSO implementation worthwhile?

  After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses.  Continue Reading

• Best practices for employer monitoring of social media

  Expert Joseph Granneman explains the best way for employers to approach social media monitoring as part of a social media policy for employees.  Continue Reading

• UTM vs. NGFW: Comparing unified threat management, next-gen firewalls

  What's the difference between unified threat management (UTM) products and next-generation firewalls (NGFW)? Brad Casey discusses.  Continue Reading

• Authentication caching: How it reduces enterprise network congestion

  Michael Cobb explores the pros and cons of authentication caching and whether the practice can truly calm network strain.  Continue Reading

• HSTS: How HTTP Strict Transport Security enhances application security

  Many websites are using HTTP Strict Transport Security (HSTS) to enhance application security, but is it really more effective than HTTPS?  Continue Reading

• How ISP services can improve enterprise cybersecurity

  Uncover which ISP services enterprises should seek from their providers to improve cybersecurity and mitigate cyberattacks.  Continue Reading

• Why TCP traffic spikes with source port zero should sound an alarm

  Are spikes in TCP traffic with source port zero warning signs that future attacks are imminent? Discover why enterprises should be concerned.  Continue Reading

• Preventing plaintext password problems in Google Chrome

  Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits.  Continue Reading

• Femtocell security: Defending against a femtocell hack

  The risk of a femtocell hack is a real enterprise concern. Nick Lewis explains why and explores how to defend against an attack.  Continue Reading

• How to use the RACI matrix for a security risk assessment

  Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.  Continue Reading

• Heap spray attacks: Details and mitigations for new techniques

  Expert Nick Lewis details a new heap spray attack technique and provides mitigations for both new and old heap spray attacks.  Continue Reading

• Incident response lessons from Facebook's red team exercises

  Expert Nick Lewis provides advice for enterprises looking to take inspiration for an incident response plan from Facebook's red team exercises.  Continue Reading

• Is FTP malware threatening network port security?

  A diligent enterprise must watch for FTP attacks over non-standard ports, says network security expert Brad Casey.  Continue Reading

• Use John the Ripper to test network devices against brute forcing

  Enterprise IT security organizations should test network devices using John the Ripper to ensure they are not susceptible to brute-force attacks.  Continue Reading

• For a PCI-compliant database, implement database security controls

  Expert Mike Chapple details the necessary database security controls that an organization must implement to achieve a PCI-compliant database.  Continue Reading

• Will a password-strength meter lead to stronger passwords?

  Security expert Michael Cobb explores the benefits of password-strength meters in the enterprise and how they help users create strong passwords.  Continue Reading

• The value of 2,048-bit encryption: Why encryption key length matters

  Leading browsers are required to use 2,048-bit length keys by the end of the year, but what effect does this have on security?  Continue Reading

• The 2013 OWASP Top 10 list: What's changed and how to respond

  Expert Michael Cobb highlights the changes made in the 2013 OWASP Top 10 list, including new vulnerabilities and what they mean for enterprises.  Continue Reading

• Can an unqualified domain name cause man-in-the-middle attacks?

  An unqualified domain name can make reaching internal resources easier, but expert Michael Cobb warns that man-in-the-middle attacks could result.  Continue Reading

• RC4 attack details: Can the RC4 encryption algorithm protect SSL/TLS?

  Expert Michael Cobb provides background on the RC4 encryption algorithm and determines whether a recent RC4 attack signals trouble for SSL/TLS users.  Continue Reading

• How does steganography work and does it threaten enterprise data?

  Expert Joe Granneman explains how steganography works, and the ways it can both protect and threaten enterprise data.  Continue Reading

• Google Chrome clickjacking vulnerability: Time to switch browsers?

  Expert Nick Lewis explains the Google Chrome clickjacking vulnerability, including why avoiding the issue isn't as simple as switching browsers.  Continue Reading

• Fiber optic networking: Assessing security risks

  Matthew Pascucci discusses the potential security risks associated with fiber optic networking.  Continue Reading

• To nullify targeted attacks, limit out-of-office message security risk

  Expert Michael Cobb details how to reduce out-of-office message security risk --and thus targeted attacks -- by limiting personal info given.  Continue Reading

• The pros and cons of SSL decryption for enterprise network monitoring

  Expert Brad Casey discusses the pros and cons of SSL decryption to determine its viability as an enterprise network monitoring method.  Continue Reading

• Audit log security: How to monitor and protect audit logs

  Is it possible to make audit logs tamper-proof? Expert Matthew Pascucci offers best practices for audit log security and monitoring.  Continue Reading

• Huawei router security: Is there legitimate cause for concern?

  Security expert Matthew Pascucci discusses Huawei router security and offers four tips for evaluating the security of enterprise network equipment.  Continue Reading

• Determining ideal IPS throughput for new implementation

  Several factors go into determining IPS throughput requirements. Expert Matt Pascucci explains in this Q&A.  Continue Reading

• Bing security: Is search engine poisoning a problem for Bing users?

  Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security.  Continue Reading

• What risk does the Apple UDID security leak pose to iOS users?

  Expert Michael Cobb details Apple's Unique Device Identifiers, plus why iOS users should be concerned about the Anonymous UDID security leak.  Continue Reading

• How to implement firewall policy management with a 5-tuple firewall

  Matt Pascucci explains how to implement firewall policy management for 5-tuple firewalls when ports must be kept open for business reasons.  Continue Reading

• Avoiding the invisible: How to defend against iFrame attacks

  How can enterprises and users protect themselves from malicious content embedded in iFrames? Expert Nick Lewis explores iFrame attack mitigations.  Continue Reading

• How to determine if you're using a PCI-compliant cloud provider

  Small business credit card processing from a PCI-compliant cloud provider can help reduce the burden of PCI compliance. Expert Mike Chapple explains.  Continue Reading

• Establish a screen timeout period as part of a BYOD security policy

  Expert Michael Cobb provides advice on why and how enterprises should establish a screen timeout period as part of any BYOD security policy.  Continue Reading

• BYOD security policy: Mitigate BYOD risk with device requirements

  How can enterprises mitigate the BYOD risk? Expert Michael Cobb suggests some device requirements to include in a BYOD security policy.  Continue Reading

• How to choose secure Android lock patterns

  Get advice from expert Michael Cobb on how to secure your Android device with good Android lock patterns.  Continue Reading

• Remote access audit: Assessing remote desktop access software

  Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.  Continue Reading

• Types of SSO: Comparing two vendors' approaches to single sign-on

  Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.  Continue Reading

• How to manage feedback in the compliance review process

  The compliance review process can be complicated, especially when getting input from others. Mike Chapple offers advice to streamline the process.  Continue Reading

• Monitoring P2P activity by tracking corporate IP addresses

  Mike Chapple discusses whether you should be monitoring P2P activity with site crawling and info gathering websites like YouHaveDownloaded.com.  Continue Reading

• Securing big data: Architecture tips for building security in

  Expert Matt Pascucci advises a reader on securing big data with tips for building security into enterprise big data architectures.  Continue Reading

• IMEI authentication: OK as a mobile authenticator?

  Is IMEI authentication a secure choice when considering a mobile authenticator? Randall Gamby explains why it may not be a wise choice.  Continue Reading

• Password compliance and password management for PCI DSS

  Can poor password management lead to PCI DSS non-compliance? Mike Chapple outlines key password compliance best practices.  Continue Reading

• How to detect and mitigate Poison Ivy RAT malware-style attacks

  Learn how to prevent malcode like the Poison Ivy RAT malware, sophisticated malware that has been crafted especially for an enterprise take-down.  Continue Reading

• Does .cc domain malware demand domain blocking?

  Learn how to deal with .cc domain malware threats found within DNS traffic. Is domain blocking at the perimeter the best defense strategy?  Continue Reading

• Network topology mapping: How to automate network documentation

  Network topology mapping to boost security can be time-consuming. Learn how to automate network documentation with network management tools.  Continue Reading

• SIEM vs. DAM technology: Enterprise DAM implementation best practices

  Mike Cobb analyzes the differences between a SIEM and DAM implementation and how to successfully configure an enterprise DAM.  Continue Reading